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Abstract 

This article advances a principled proportionate governance model (PPGM) that 
overcomes key Impediments to using health records for research. Despite increasing 
initiatives for maximising benefits of data linkage, significant challenges remain, 
Including a culture of caution around data sharing and linkage, failure to make use of 
flexibilities within the law and failure to Incorporate intelligent Iterative design. The 
article Identifies key issues for consideration and posits a flexible and accessible gov- 
ernance model that provides a robust and efficient means of paying due regard to both 
privacy and the public Interests in research. We argue that proportionate governance 
based on clear guiding principles accurately gauges risks associated with data uses and 
assigns safeguards accordingly. This requires a clear articulation of roles and respon- 
sibilities at all levels of decision-making and effective training for researchers and data 
custodians. Accordingly, the PPGM encourages and supports defensible judgements 
about data linkage in the public interest. 
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Introduction 

The linking of health records and other data for research has great potential to bring 
about considerable improvements in the health and well-being of populations.' Initia- 
tives dedicated to maximising the benefits of data linkage, both within and beyond the 
health sector, have already made significant progress.^ Models in Western Australia^ and 
Manitoba^ have proven particularly successful. The United Kingdom is also developing 
initiatives, with strong encouragement fi-om the government and significant financial 
support of the major funding councils (Research Councils UK). The most recent 
£19m collaborative funding call was an unprecedented endeavour involving all estab- 
lished funding councils, Wellcome Trust, health charities and regional government 
offices. It stressed that ' ... it is vital that the UK research community is in a strong posi- 
tion to maximise the health research potential offered by linking electronic health 
records with other forms of routinely collected data and research datasets'.^ The era 
of eHealth is truly upon us.* 

The data linkage initiatives already existing in the United Kingdom^ have reinforced 
very clearly the inadequacies of the current governance framework and its inability to 



1. See, for example, Academy of Medical Sciences, Personal Data for Public Good: Using 
Health Information in Medical Research (2011); Academy of Medical Sciences, A New 
Pathway for the Regulation and Governance of Health Research (2012); R. Thomas and T. 
Walport, Data Sharing Review Report (2008); W. Lowrance, Learning from Experience: 
Privacy and the Secondary Use of Data in Health Research (London, UK: Nuffield Trust, 
2002); B. Miriovsky et al, 'Importance of Health Information Technology, Electronic Health 
Records, and Continuously Aggregating Data to Comparative Effectiveness Research and 
Learning Health Care', Journal of Clinical Oncology 15 (2012), pp. 4243^248; I. Kohane, 
'Using Electronic Health Records to Drive Discovery in Disease Genomics', Nature 
Reviews Genetics 12 (2011), pp. 417^28; C. Safran et al, 'Toward a National Frainework 
for the Secondary Use of Health Data: An American Medical Informatics Association White 
Paper', Journal of the American Medical Informatics Association 14 (2007), pp. 1-9. 

2. Such initiatives include: SHIP (Scottish Health Informatics Programme). Available at: http:// 
www.scot-ship.ac.uk (accessed 2 December 2012); EHR4CR (Electronic Health Records for 
Clinical Research). Available at: http://www.ehr4cr.eu (accessed 2 December 2012); The 
Secure Anonymised Infonnation Linkage (SAIL) Databank. Available at: http://www. 
ehi2.swansea.ac.uk/en/sail-databank.htm (accessed 2 December 2012). 

3. Data Linkage WA. Available at: http://www.datalinkage-wa.org (accessed 14 September 2012). 

4. Manitoba Centre for Health Policy. Available at: http://umanitoba.ca/faculties/medicine/ 
units/community_health_sciences/departmental_units/mchp (accessed 14 September 2012). 

5. Medical Research Council, E-Health Informatics Research Centres Call. Available at: http:// 
www.mrc.ac.uk/Fundingopportunities/Calls/E-healthCentresCall/index.htm (accessed 29 
August 2012). 

6. As we have argued elsewhere, G. Laurie and N. Sethi, 'Towards Principles-Based 
Approaches to Governance of Health-related Research using Personal Data' , European Jour- 
nal of Risk Regulation 1(2013), pp. 43-57. 

7. See Scottish Health Informatics Programme, Electronic Health Records for Clinical 
Research and The Secure Anonymised Information Linkage (SAIL) Databank in addition 



170 



Medical Law International 13(2-3) 



meet the needs of pre-existing and future (increasingly ambitious) linkages. The regula- 
tory hurdles obstructing the optimal use of data for research are only too familiar and 
have been extensively discussed within the literature.^ The same key challenges conti- 
nually re-emerge. These are that the current landscape is primarily characterised by (i) 
a culture of caution among data custodians, many of whom are unwilling to link or share 
data, (ii) the failure to take account of flexibilities within the law that permit and support 
such linking and sharing and (iii) the failure of the regulatory framework to reflect or 
incorporate iterative intelligent design of instances of 'good governance'.^ 

The establishment of the Health Research Authority in December 2011 was a clear 
signal from the UK government to deliver more streamlined governance mechanisms. '° 
This concrete action is a manifestation of the political rhetorical commitment to 
improvement and efficiency that followed the publication of the Academy of Medical 
Sciences report in 2011 and which purported to lay down the 'guiding principles' for 
advancement in this field: 

to safeguard the well-being of research participants; to facilitate high-quality health 
research to the public benefit; to be proportionate, efficient and coordinated and maintain 
and, to build confidence in the conduct and value of health research through independence, 
transparency, accountability and consistency." 

But the devil is in the detail of what this can, and should, mean in practice. These 
'principles' have the quality of self-evident truths: no one would support a system that 
was unsafe, obstructive, disproportionate and untrustworthy. Rhetoric aside, then, we 
must ask what these claims and this opportunity will mean for the future of information 
governance in health research. 

We argue in this article that these common objectives can be achieved via the delivery 
of a principled proportionate governance model. This has the potential not only to over- 
come existing challenges but also to provide additional benefits to the governance frame- 
work, for example, by stressing and facilitating a holistic approach to risk assessment, 
which extends beyond a tick-box mentality towards responsible data sharing. In the first 
part of the article, we examine forensically the key obstacles within the current 



to: A Scotland-wide Data Linkage Framework for Statistics and Research: Consultation 
Analysis. Available at: http://www.scotland.gov.uk/Publications/2012/08/3287 (accessed 2 
December 2012). 

8. See in particular: B. Rumbold et al. Understanding Information Governance: Access to 
Person-Level Data in Health Care (London: Nuffield Trust, 2011); Academy of Medical 
Sciences, ^Personal Data'' and 'A New Pathway'; R. Thomas and T. Walport, 'Data 
Sharing Review Report'. 

9. J. Peto et al., 'Data Protection, Informed Consent, and Research', British Medical Journal 
328 (2004), pp. 1029-1030. 

10. By virtue of the Health Research Authority (Establishment and Constitution) Order 201 1, S. 
I. 201 1/2323, the HRA has been established to protect and promote the interests of patients 
and the public in health research. 

11. The Academy of Medical Sciences, 'A New Pathway' , p. 6. 
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governance regime to reveal their true nature as part of a currently disconnected regula- 
tory architecture. We acknowledge that whilst efforts have been made to ameliorate the 
situation, substantial steps must still be taken before optimal governance is achieved. 
Next, we offer key considerations that we argue must be taken into account when con- 
sidering how to deliver proportionate governance; this includes the methods to be 
employed to uncover what the considerations are, notably through engagement with sta- 
keholders. Finally, we propose a principled proportionate governance model, highlight- 
ing each of its key components and the significance of their inclusion. We use a case in 
point to illustrate the added value which the model brings to practical implementation of 
the notion of proportionate governance that is the central aspiration of the Health 
Research Agency (HRA) and Academy of Medical Sciences (AMS). This is the example 
of the Scottish Health Informatics Programme,'^ sponsored by the Wellcome Trust,^^ 
and which began operationalisation of a nationwide proportionate governance model 
in Scotland in 2013. 

Key obstacles within a suboptimal landscape 

To state that linkage of datasets has great research potential is neither novel nor is it a 
phenomenon that is exclusive to the health sector.'^ Moreover, the complex regulatory 
landscape around which researchers, legally responsible data controllers and others with 
custodian duties for handling data must navigate to facilitate and/or conduct research has 
also received extensive coverage.'^ And yet, there is surprisingly little concrete discus- 
sion in the literature about how to improve the situation. The growing number of initia- 
tives dedicated to maximising the benefits of data linkage - including, but not restricted 
to health, social care, environmental and education sectors - makes it imperative that the 
key challenges impeding research are tackled, and most particularly that traditional 
approaches to information governance are reconsidered.^^ 



12. This is now known as the 'ScottisH Informatics Programme'. 

13. This work was supported by the Wellcome Trust through the Scottish Health Informatics 
Programme (SHIP) Grant (Ref WT086113). SHIP is collaboration between the 
Universities of Aberdeen, Dundee, Edinburgh, Glasgow and St Andrews and the 
Information Services Division of NHS Scotland. We would like to thank Wellcome for 
their support. 

14. See notes 3 and 4. Particular studies from the Scottish context include L. Govan et al., 'The 
Effect of Deprivation and HbA(lc) on Admission to Hospital for Diabetic Ketoacidosis in 
Type 1 Diabetes', Diabetologia 55 (2012), pp. 2356-2360; J. Walker et al, 'Effect of 
Socioeconomic Status on Mortality Among People With Type 2 Diabetes: A study from 
the Scottish Diabetes Research Network Epidemiology Group', Diabetes Care 34 (2011), 
pp. 1127-1132. 

15. Department of Health, Information: To share or not to share? The Information 
Governance Review (2013). See also Academy of Medical Sciences, Personal Data; 
R. Thomas and T. Walport, 'Data Sharing Review' . 

16. W. Lowrance, Privacy, Confidentiality and Health Research (Cambridge: Cambridge 
University Press, 2012) and 'Learning from Experience: Privacy and the Secondary Use 
of Health Data in Research', Journal of Health Services Research and Policy 8 (2003), 
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Extensive review of the current governance landscape and its challenges can be found 
elsewhere.'^ The following section suggests, rather, that the key obstacles currently 
impeding data linkage research fall into three categories: (i) a culture of caution,'^ 
(ii) a failure to take account of flexibilities within the law and (iii) a failure to build and 
incorporate iterative intelligent design into the regulatory framework. This serves to cre- 
ate a tabula rasa for considering thereafter what good governance in this field might look 
like. It necessitates that the challenges are correctly identified and posits that governance 
must be co-produced as part of a collective exercise between all stakeholders. 



Culture of caution 

The complex legislative landscape governing data use for research has been subjected to 
sustained critique. The most common attacks centre on its overburdensome and confus- 
ing nature.'' Key legislation, including both the European Data Protection Directive^" 
and its UK embodiment, the Data Protection Act (DP A) 1998 are unhelpfully vague and 
open to varying interpretation,^' even in terms of basic data protection concepts.^^ The 
numerous relevant legislative provisions that must be observed, not to mention the pro- 
cedural requirements imposed upon data controllers and researchers, can prove both 
unclear and yet onerous, causing unnecessary time delays, duplication of efforts and 



pp. 2-7; D. Willison, 'Privacy and the Secondary Use of Data for Health Research: 
Experience in Canada and Suggested Directions Forward', Journal of Health Services 
Research and Policy 8 (2003), pp. 17-23; M. Law, 'Reduce, Reuse, Recycle: Issues in 
the Secondary Use of Research Data', Spring lASSIST Quarterly (2005), pp. 5-10; J. 
Brown and J. Semradek, 'Secondary Data on Health-Related Subjects: Major Sources, Uses 
and Limitations', Public Health Nursing 9 (1992), pp. 162-171; P. Lelliot, 'Secondary Uses 
of Patient Information', Advances in Psychiatric Treatment 9 (2003), pp. 221-228. 

17. See in particular: Academy of Medical Sciences, 'Personal Data' and 'A New Pathway'; 
R. Thomas and T. Walport, 'Data Sharing Review'; G. Laurie and N. Sethi, 'Current 
Practices' and 'Towards Good Governance' . 

18. House of Lords, Science and Technology Committee 2nd Report of Session 2008-09, 
'Genomic Medicine' para 6.15. Available at: http://www.publications.parliament.uk/pa/ 
ld200809/ldselect/ldsctech/107/107i.pdf (accessed 2 December 2012). 

19. See in particular: Academy of Medical Sciences, 'Personal Data' and 'A New Pathway'; 
R. Thomas and T. Walport, 'Data Sharing Review'; G. Laurie and N. Sethi, 'Current 
Practices' and 'Towards Good Governance' . 

20. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the 
protection of individuals with regard to the processing of personal data and on the free 
movement of such data Article 2(a) (hereafter referred to as the European Data Protection 
Directive). 

21. C. Bennett and C. Raab, 'The Adequacy of Privacy: The European Union Data Protection 
Directive and the North American Response', The Information Society: An International 
Journal 13 (1997), pp. 245-264; Y. PouUet, 'The Directive 95/46/EC: Ten years after'. 
Computer Law and Security 22 (2006), pp. 206-217. 

22. European Commission DG JFS, Comparative study on different approaches to new privacy 
challenges in particular in the light of technological developments (2010) p. 16. 
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uncertainty. Reporting on the research framework within the UK, for example, the 
Department of Health identified 43 pieces of relevant legislation, 12 sets of relevant stan- 
dards and 8 professional codes of conduct, concluding that what 'this has bred is a culture 
of caution, confusion, uncertainty and inconsistency'.^^ 

The mantra of 'culture of caution' has proliferated within the research community 
(including data custodians and researchers) and has proven particularly difficult to dis- 
place. Rather than risk sanctions for misunderstanding legislative requirements, some 
data custodians have tended towards more conservative approaches to managing data 
access requests,^^ rendering access to potentially research-rich data problematic. This 
has led researchers and data custodians alike to exercise ' . . . a degree of caution that 
may go beyond what is required within the law itself. This can apply to individual judg- 
ments around access to data, where possible solutions are not fully explored because of 
the perception of the barriers'. The complex landscape and 'the many actors and inter- 
ests at play, makes confidently operating (and data sharing) within the research environ- 
ment very difficult'.^* Ironically, however, as has been pointed out by the Information 
Commissioner's Office (ICO): 

'Organisations that don't understand what can and cannot be done legally are as likely 
to disadvantage their clients through excessive caution as they are by carelessness.' 
Put otherwise, doing nothing is not a sustainable option when it comes to lawful and 
effective data management. Fear and ignorance are not excusable, and the path towards 
a robust data custodianship system must begin with a sound grasp of the law, and impor- 
tantly, the opportunities that it affords. 



Failure to make use of flexibilities 

A fact often overlooked because of the complex regulatory landscape is that flexibil- 
ities to address some of the regulatory hurdles already exist within the current frame- 
work. For example, a research exemption exists in data protection law whereby data 
obtained for one purpose can later be used for a research purpose so long as two crucial 
criteria are met: 



23. House of Lords Science and Technology Committee, 2nd Report of Session 2008-09: 
Genomic Medicine (Stationary Office, London, 2009), para 6.15. 

24. Recognised, for example, by the Information Commissioner: Information Commissioner's 
Office, Data Sharing Code of Practice (Cheshire, ICO, 2011), p.4. 

25 . The UK Administrative Data Research Network, Improving Access for Research and Policy: 
Report from the Administrative Data Taskforce (2012), p. 16. Available at: http://www.esrc. 
ac.uk/_images/ADT-Improving-Access-for-Research-and-Policy_tcm8-24462.pdf 
(accessed 10 May 2013). 

26. S. Harmon and K. Chen, 'Medical Research Data-sharing: The "Public Good" and Vulner- 
able Groups', Medical Law Review 20 (2012), pp. 516-539, at p. 522. 

27. UK Information Commissioners Office, Anonymisation: Managing Data Protection Risk 
Code of Practice (Cheshire, UK: ICO, 2012) in Commissioner's foreword. 
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(i) ... the data must not be processed to support measures or decisions with respect to par- 
ticular individuals, and (ii) the data must not be processed in such a way that substantial 
damage or substantial distress is, or is likely to be, caused to any data subject.^** 

If applicable, the consequence is that data can be retained indefinitely (normally data 
must be destroyed after original purposes for processing are met), and data subjects need 
not be granted access to their data (otherwise a norm in the regulations), so long as 
research results are not published in an identifiable form. Notwithstanding, a Code of 
Practice from the ICO suggests that granting such access is good practice.^' Moreover, 
the reduction in burden might be slight because, whilst consent to research uses is not 
mandated, data subjects must still have adequate notice of the fact that data are being 
used for research. And if consent is not obtained and research data cannot be published 
in an effectively anonymised form, then subject access must be granted lest the 
researcher be exposed to an action for breach of data protection (unless it could be shown 
that there was no alternative but to publish the results in an identifiable form). 

The restrictions on this exemption are largely driven by concerns about the autonomy 
of the data subject. These are compounded by a related phenomenon that we have called 
the 'fetishisation of consent'. This has emerged as a key issue in recent times across 
many areas of health law and regulation. It can be summed up in the current context 
as follows: there is a tendency to view consent as a necessary requirement for using data 
for research and to regard it as a panacea that alone sufficiently addresses the concerns 
around data use for research. This obvious fallacy aside, and acknowledging that consent 
may often be desirable, it is crucial to note that, in law, consent is not a requirement to 
render uses legal."" Far less is it necessarily the optimal of available mechanisms for 
achieving the twin aims of protecting individual autonomy and promoting the public 
interest in research,"'^ nor indeed for regulating data sharing more generally. Nonethe- 
less, in the health data context, this reliance on consent translates to a tendency to shape 
information governance mechanisms around the 'consent moment'.^"* Where this is not 



28. Data Protection Act 1998, section 33. 

29. ICO, Code of Practice, p. 46. 

30. G. Laurie, 'Evidence of Support for Biobanking Practices', British Medical Journal 337 
(2008), pp. 186-187; G. Laurie and E. Postan, 'Rhetoric or Reality: What is the Legal 
Status of the Consent Form in Health-Related Research?' Medical Law Review (2012), 
pp. 1^4. 

31. See, for example, General Medical Council, Confidentiality (2009) p. 18 and ICO, Code of 
Practice, p. 5 5 

32. G. Laurie, Genetic Privacy: A Challenge to Medico-Legal Norms (New York, NY: 
Cambridge University Press, 2002), p. 335; N. Manson and O. O'Neill, Rethinking 
Informed Consent in Bioethics (Cambridge/New York: Cambridge University Press, 2007) 
p. 212; O. O'Neill, Autonomy and Trust in Bioethics, Gifford Lectures, University of 
Edinburgh (CUP, 2002). 

33. R. Al-Shahi and C. Warlow, 'Using Patient-Identifiable Data for Observational Research and 
Audit' British MedicalJournal 321 (2000), pp. 1031-1032. 

34. For a rejection of this approach and an argument for the need to see consent as process in the 
health research regulation context, see G. Laurie and E. Postan, 'Rhetoric or Reality'. 
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possible, anonymisation of data has emerged as the defauh. This has been referred to as 
the 'consent or anonymise' approach.^^ 

Anonymisation techniques render identification or re-identification less likely but 
they do not, contrary to some belief, guarantee anonymity. Fortunately, the law does not 
require this. The UK ICO has recently released its Code of Practice on anonymisation, 
which emphasises that whilst anonymisation is desirable, it is not always necessary. 
Rather, what is paramount in these cases is the security of the data.^* Thus, neither the 
consent nor the anonymise approach is mandated nor, as we will argue, is either neces- 
sarily conducive to effective data sharing for research. 

A third governance pathway is authorisation. Authorisation involves an individual or 
collective body making a decision about whether data should be shared (and in what 
form) when it is neither possible nor practicable for the data subject to input to the pro- 
cess and often when the data are identifiable. Caldicott Guardians,^^ for example, are 
responsible for deciding whether patients' confidential data should be used, whether 
or not the data need to undergo anonymisation and whether consent should be sought. 
Equally, the Confidentiality Advisory Group (CAG)^^'"*" in England is charged with con- 
sidering research-based data access applications submitted to the HRA.^' It has authority 
under section 25 1 of the National Health Service (NHS) Act 2006 to advise the Secretary 
of State, when a study can go ahead in the public interest and using data without gaining 
data subject consent. Similarly, the Privacy Advisory Committee (PAC) in Scotland^^ 
advises the NHS National Services Scotland (NSS) and National Registers Scotland 
(NRS) upon data linkages, effectively providing a form of authority to link or share data 
by consultation and independent oversight. 

It is our opinion that authorisation has not received the attention and consideration 
that it merits as an alternative and complementary mechanism to consent and anonymi- 
sation. As Law notes, '[mjany writers are passionate about the primacy of informed con- 
sent',^^ with some considering that 'the requirements to seek an individual's consent to 
participate and to provide data for a specific purpose must take precedence. '"*■* We 



35. Academy of Medical Sciences, ^Personal Data' , p. 3. 

36. ICO, Anonymisation, p. 13. 

37. National Health Service National Services for Scotland (NHS NSS) Caldicott Guardians, 
see: http://www.nhsnss.org/pages/corporate/caldicott_guardians.php (accessed 2 December 
2012). 

38. G. Laurie and N. Sethi, 'Towards Good Governance', p. 16. 

39. The Health Research Authority Confidentiality Advisory Group. Available at: http://www. 
hra.nhs.uk/hra-confidentiality-advisory-group (accessed 7 May 2013). 

40. Previously the Ethics and Confidentiality Committee - see National Information Governance 
Board for Health and Social Care, Ethics and Confidentiality Committee. Available at: http:// 
www.nigb.nlis.uk/ecc (accessed 3 December 2012). 

41. CAG is also charged with advising the Secretary of State on non-research applications. 

42. NHS National Services Scotland, Privacy Advisory Committee. Available at: http://www. 
nhsnss.org/pages/corporate/privacy_advisory_committee.php (accessed 3 December 2012). 

43. Law, 'Reduce Reuse Recycle', p. 6 

44. C. Kalman, 'Increasing the Accessibility of Data', British MedicalJournal 309 (1994), p. 740. 
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discuss the problems that arise when only relying upon consent further below, and 
despite the initial objections that authorisation might raise, we would argue that ulti- 
mately it represents an important governance mechanism whereby an individual or body 
is entrusted as a proxy decision-maker. We appreciate the cultural challenges that might 
be encountered in securing buy-in for authorisation-based mechanisms within the 
research and data sharing context. We are not, however, suggesting that authorisation 
should replace consent or anonymisation, but rather that it should be considered in tan- 
dem with these governance tools that can operate alone or in combination to deliver good 
governance across a range of possible circumstances. Moreover, in governance terms, 
we contend that it delivers more robust means to protect the core interests at stake than 
either consent or anonymisation alone. 

None of these existing mechanisms can change the legal reality that ultimate respon- 
sibility for data processing rests with data controllers."^^ This status is one that exists as a 
matter of fact and law, that is, if someone is acting in fact in the capacity as a data con- 
troller in a literal sense that they control the data and their uses, then they will be treated, 
as a matter of law, as the responsible data controller. This has further fuelled the culture 
of caution for those who know that they are - or suspect that they might be - data con- 
trollers. The fact + law approach generates further anxiety and confusion within the 
research and governance communities. The lack of legal certainty (or mandate) hinders 
confidence within the system, preventing key actors from taking advantage of the flex- 
ibilities available to them. 

All of this points towards a number of conclusions and focal points for further action. 
First, reform of the law is not a necessary first step to bring about reform of practice."*^ 
The law already allows a lot to happen in terms of data linkage and sharing. Second, 
attention should be drawn to the spaces in-between legal provisions - where judgement 
calls must be made about data linkage. What is it that leads to a cautious approach for 
those operating within these spaces? Is it only the threat of future legal sanction or is 
it rather a lack of guidance and clarity on the purposes and values of data linkage itself? 
Third, wither privacy in all of this? That is, what mechanisms, if any, exist for decision- 
makers to weigh up considerations such as privacy risks and promotion of public interest 
through robust data linkage? Finally, who is being asked to take these sensitive decisions 
when the law might broadly permit discretion but offers little concrete guidance on how 
to proceed and justify each outcome? We suggest that these issues are the proper focus of 
regulatory attention and should be the subject of any models designed to deliver good 
governance. Crucial to success, however, is the further need to ensure that any models 
are responsive both to the needs of those whose data are being used (citizens) and those 



45. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the 
Protection of Individuals with Regard to the Processing of Personal Data and on the Free 
Movement of such Data and UK Data Protection Act 1998 

46. For example, see the recent ADT Report, Improving Access, which takes a 'dual track 
approach', acknowledging the difficulties that can be encountered when making 
legislative change and that 'much can be achieved while the legislative timetable takes 
shape' p. 18. 
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who are being governed (researchers themselves). This is something that, as the next sec- 
tion demonstrates, has not happened to date. 

Failure to incorporate iterative intelligent design 

It is evident from our discussion that the current landscape has been constructed in frag- 
mented and disjointed fashion, with little attention paid to the coalface of data linkage 
decision-making. This is particularly disappointing given the multitude of recommenda- 
tions that have been made from notable reports and consultations, some of which we dis- 
cuss in more detail below. Most worryingly, current frameworks have grown up 
piecemeal,"^^ lacking sustained attempts to engage the diverse spectmm of stakeholders 
who are affected by, and must work within, the regulatory environment. In sum, there has 
been a net failure to incorporate iterative intelligent design. Successful incorporation of 
such design involves a dialogical relationship whereby proposals advanced are continu- 
ally sounded out amongst key stakeholders and most notably, amongst those charged 
with implementing them in practice. This allows key weaknesses to be identified, solu- 
tions sought and proposals subsequently reworked. This requires an ongoing reflexive 
approach towards successful development of a framework and one that we have 
employed as our dominant method in the development of our principled, proportionate 
governance model (PPGM) below.""^ This has been constructed largely outside legisla- 
tive discussions. These, we believe, largely miss the point about what is required to 
deliver good governance in this area. 

The limits of law 

The preceding discussion should not be taken to suggest that no efforts have been 
made to ameliorate the situation. Some of the most notable attempts have centred 
on clarifying or supplementing key legislation in the area. For example, the Article 
29 Working Party - an independent advisory body on matters of European data pro- 
tection - has released pertinent guidance for the eHealth community, attempting to 
shed light on the key issues. In particular, it has issued advice relating to (i) the role 
and relationship between data custodians and data processors,"^^ (ii) processing of 
data relating to e-health records^** and (iii) the definition and role of consent in 



47. MRC Ethics Series, Personal Information in Medical Research (London, UK: MRC, 2000). 

48. We have argued for this elsewhere in the context of biobanks, see G. Laurie, 'Reflexive 
Governance in Biobanking: On the Value of Policy Led Approaches and the Need to 
Recognise the Limits of Law', Human Genetics 130 (2011), pp. 347-356. More generally, 
see O. De Schutter and J. Lenoble (eds), Reflexive Governance: Redefining Public 
Interest in a Pluralistic World (Oxford, England/ Portland, Or: Hart Publishing, 2010). 

49. Article 29 Data Protection Working Party, 'Opinion 1/2010 on the concepts of "controller" 
and "processor"', 00264/10/EN WP 169 (February 2010). 

50. Article 29 Data Protection Working Party, 'Working Document on the processing of 
personal data relating to health in electronic health records (EHR)' 00323/07/EN WP 131 
(February 2007). 
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lawful data processing.^' The European Data Protection Directive is under review^^ and 
attracting considerable scrutiny, particularly in light of the recent Albrecht Report that 
advocates that research involving health data should only be conducted with data sub- 
ject consent, which should be 'freely given, specific, informed and explicit'. The pro- 
cess for legislative intervention in this area is notoriously precarious. We avoid the 
temptation here to digress into detailed discussion of proposed changes, which, although 
of relevance to this topic, remain tentative and very likely to change. But more funda- 
mentally, and absent an extreme volte face from the current legislative regime, the argu- 
ment in this article is that legal reform is not required. It is, in many senses, a 
distraction. Instead, we posit that the broad parameters for delivering good governance 
are already laid down in the legal architecture and that more law is not the answer. 
What is required, however, is a deeper understanding of how to operate within those 
parameters and in keeping with the established data protection principles in both a 
robust and effective manner to give effect to the twin purpose of the law to promote 
responsible sharing whilst adequately protecting privacy. We advocate a detailed means 
to work through the delicate balancing exercise that must be performed when individual 
privacy interests are juxtaposed with public interests in the health research context. 
Importantly, much of this framework is about offering assistance to data controllers and 
decision-makers who operate in the regulatory spaces in between the legal architecture. 
Thus, whilst the broad legal rules and principles'^ offer a framework for decision- 
making, they do not give much guidance to decision-makers on how to weigh up the 
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considerations and arrive at justifiable decisions about data processing. In this sense, 
the value of our model serves as a complement to the legal framework in identifying 
room for manoeuvre within it and by assisting relevant parties to occupy such spaces 
responsibly. Legislative reform is unlikely to remove the role for key concepts such 
as consent, anonymisation and pubhc interest. Whilst it might place emphasis more 
strongly on one rather than another, this article offers a defensible middle path through 
an ever-changing landscape. 

As the above suggests, we must therefore be conscious of the limits of law. Whilst 
legislative reforms can make a significant improvement in clarifying obligations, they 
also have the potential to breed more confusion; a fear already expressed around the new 
legislative proposals. The ICO has warned: 

it would have been preferable for the Commission to have developed one comprehensive 
data protection instrument whether a Regulation or a Directive. Given the two different 
instruments proposed, it is important for there to be as much consistency as possible 
between these instruments.^^ 

This also raises an important point about the role of harmonisation within the regula- 
tory landscape, and we argue here that our model facilitates a coherent approach to gov- 
ernance, which is nevertheless sufficiently adaptable for the different specific 
circumstances implicated by different types of data linkage. Legislation is but one (not 
always entirely effective) means of improving practice. 

Extensive reviews of the regulatory landscape have included audits of current practice 
and consultations extended across the research and data sharing communities, resulting in 
recommendations for modification of the current framework. The Data Sharing Review, 
for example, highlighted the default 'consent or anonymise' approach and called for clar- 
ification of the legal framework, openness and transparency and the removal of unneces- 
sary legal barriers, whilst simultaneously maintaining robust privacy protections.^'' The 
AMS stressed the need for proportionate governance as a reaction to the overburdensome 
demands of the governance landscape, as outlined above.*** Most recently, the Caldicott 
Review has added a new principle to the pre-existing six Caldicott principles: '[t]he duty 
to share information can be as important as the duty to protect patient confidentiality' . The 
additional principle acknowledges outright the importance of sharing information, a duty 
often forgotten or which is seen as antagonistic to preserving confidentiality.*' 
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We fully endorse these calls for clarity and proportionality and go far beyond them in 
offering substantive argument and examples about what proportionate governance can 
look like in practice. This is to ensure that the call to arms is not so abstract so as to 
render its key message otiose. An added advantage is that our approach can improve 
upon the governance landscape as it stands. It offers an account of the relative weight 
that can be placed on various operational governance devices within the legal architec- 
ture - such as consent, anonymisation, authorisation and public interest - in ways that 
inform current and future legislative processes by revealing deeper understanding 
about the interaction between these devices and arguments about their respective mer- 
its and demerits. In the final analysis, the objective is to offer concrete mechanisms for 
steering a path that simultaneously protects and promotes both private and public 
interests. 



Deliberative delivery: developing a PPGM 

This section outlines the methods employed in developing our governance model. It 
appraises the key governance considerations that emerged from our research and that 
subsequently informed the development of our PPGM. The model was developed 
within the context of the Scottish Health Informatics Programme (SHIP).*^ This was 
a Scotland-wide endeavour bringing together academia and NHS Scotland to 
develop an infrastructure to facilitate better the uses of health data for research. The 
interdisciplinary and collaborative nature of the project set the tone for the metho- 
dology with an emphasis from the start on working closely with a diverse range of 
institutions and individuals, enabling an iterative, discursive and multidisciplinary 
approach to developing a governance framework. Early and sustained stakeholder 
engagement was invaluable to identifying the key and diverse ethical, legal, social 
and practical issues implicated in delivering a more streamlined system. Data con- 
trollers and health researchers offered particularly important insights into trade-offs 
and accommodation of interests to be made when navigating the uncertain regula- 
tory environment. This research user engagement proved to be crucial in the deliv- 
ery of an effective, robust and adaptive model, one that is reflective of the needs and 
sensitivities of key stakeholders. Furthermore, given that all potential stakeholders 
cannot be identified from the beginning, it became readily apparent that an efficient 
governance model must be versatile enough to accommodate different stakeholder 
needs which are both present at the time of construction and which might subse- 
quently emerge. Obvious examples include cross-sectoral and international level 
data linkage. A degree of foresighting was therefore also required to imagine future 
scenarios that would test the limits of any system and also secure its adaptability.^^ 



62. Now known as the ScottisH Informatics Programme; see further: http://www.scot-ship.ac.uk/ 
(accessed 15 June 2013). 

63. On foresighting and law generally, see G. Laurie, S. Harmon and F. Arzuaga, 'Foresighting 
Futures: Law, New Technologies and the Challenges of Regulating for Uncertainty', Law, 
Innovation and Teclrnology 4 (2012), pp. 1-33. 



Sethi and Laurie 



181 



The research commenced with the identification of key obstacles - actual and per- 
ceived - impeding research using secondary datasets specifically within (but not 
unique to) the United Kingdom, and more specifically, the Scottish context. An exten- 
sive literature review surveyed primary and secondary legislation and case law, good 
practice guidelines issued by professional bodies and recommendations emerging from 
consultation reports.^"* Secondary literature also contributed to developing an under- 
standing of the status quo.^^ We documented the functions of key actors within the cur- 
rent framework, particularly researchers, data custodians and oversight bodies such as 
the PAC in Scotland*'*' and regulatory bodies such as the Information Commissioner. 
A detailed overview of the complex legal landscape is offered elsewhere.*^ The fol- 
lowing brief account of the key ethical and legal issues that emerged from our scoping 
exercise (and consequently influenced the construction of our PPGM) is pertinent for 
present purposes. 

Navigating the path: key considerations for proportionate governance 

Privacy- Paying due regard to individual privacy is rightly one of the most dominant 
considerations within the current information governance framework. However, it is 
not the only consideration, as reflected by the non-absolute protection given to 
privacy under common law, statute and human rights regimes.^** Furthermore, it 
is often perceived risk to privacy that provokes disproportionate procedural 
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burdens. ' And yet, the law, for the most part, does not adopt a risk-based 
approach to privacy protection/' 

Privacy is a notoriously protean concept. Despite its well-recognised objective value 
as demonstrated by its protected status in a plethora of human rights and other legal 
instruments, it is - in fact - an inherently subjective notion for individuals. Opinion will 
vary considerably between individuals as to what to them constitutes privacy and its 
infringement. Often this will be highly context specific. In law, identifiability - that 
is, the likelihood of being able to identify an individual from their data - is often used 
as a key benchmark for triggering legal protection of privacy within the data sharing 
sphere, notably data protection. This, however, rarely involves an assessment of the 
nature or degree of the privacy risks or affront involved - which, again, will be depen- 
dent on context. Furthermore, identifiability is itself particularly problematic. 
Advanced technical procedures can 'pseudonymise' and 'anonymise' data, thus render- 
ing re-identification of an individual highly unlikely, but it is impossible to guarantee 
100% anonymity. ^"'■^^ The recent Caldicott Review acknowledges the problematic 'grey 
area' of data where re-identification of individuals is possible, particularly when com- 
bined with other data.^^ The ICO stresses that 100% anonymity is not a requirement of 
the DPA and in its new Code of Practice, it is encouraging practitioners to view anon- 
ymisation as rendering the risk of re-identification remote rather than mitigating it com- 
pletely.''^ This reinforces the point that the risk assessment in determining adequate 
privacy protection is crucial. 

Matters are complicated further by a tendency to conflate privacy with other con- 
cerns, most notably: autonomy, security, control^^ and inaccessibility. With regard to 
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privacy and autonomy, the latter tends to be determined by choice. It is not self-evident, 
however, that the same is true of privacy: simply because an individual has made a 
choice around whether she or he would like their information to be used (or not), this 
does not guarantee that their privacy concerns will be met. Privacy and security should 
also be differentiated: 'security is necessary but not efficient for addressing privacy'. 
Privacy correlates with the use of data in that it implicates considerations of (mis)ap- 
propriate uses and typically relates to policies and procedures around data sharing. Secu- 
rity, however, relates to the protection that is afforded to data and relates more to 
operational and technical considerations.^^ 

The essential nature of privacy interests also raises important considerations. For 
example, consider privacy and its relationship with the notion of control over informa- 
tion relating to each of us. Control can exist at different levels, for example, the indi- 
vidual level (via mechanisms including, but not limited to, consent). But individual 
level control does not guarantee privacy protection if data are to be shared in any form, 
because protection is also dependent upon external controls (such as privacy protection 
policies).**" Unless an individual chooses complete inaccessibility of their data 
(implausible in its own right), any consented use is dependent on external actors and 
policies around information handling. This in turn requires actors to avert to the pri- 
vacy risks that will arise from the use itself - including ones that might not be known 
at the time any consent is given. 

Whilst consent is not required under data protection legislation, under the common 
law duty of confidentiality, many regulatory and governance responses have pro- 
ceeded on the assumption that some form of consent must be obtained prior to disclo- 
sure of personal information.**' This, however, has never been tested in the courts. 
Moreover, the need for informed consent in the context of secondary uses for data has 
been challenged with alternative solutions advanced. These include providing options 
for data subjects to opt out of studies where their data are used, providing one-off 
broad consent and including robust measures for ensuring privacy protection and safe- 
guards to prevent indefensible infringements.^^ Notwithstanding, there has been a con- 
flation of consent concerns with privacy protection. A focus on consent has the double 
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disadvantage that it distracts from the fact that privacy is not an absolute right, and it 
can be justifiably encroached upon in the public interest. ^^'^"^ Thus, as noted by Tay- 
lor, ' [wjhile maintaining confidence in a health system might be an important public 
health objective ... ' - in that if patients do not believe their doctors will fulfil their 
obligations, they are less likely to step forward when infected - ' . . . at the same 
time, health research is itself also an important part of protecting health gener- 
ally'.**^'*** To see privacy protection as an integral part of wider public health pro- 
motion is crucial. It allows meaningful comparison of the relative interests at 
stake in ways that are not possible if privacy is cast simply as a part of individuals' 
autonomy interests. This is not to decry the importance of a role for consent, but it 
does require us to reorient our understanding of what is at stake. If public interest is 
a key and leading principle in guiding action in this area, then it requires a detailed 
account of its significance. 

The public interest. Akin to privacy, the concept of the public interest is difficult to 
articulate across various realms of law, having attracted much attention from 
beyond the health sector. Whilst the notion remains 'ill-defined',^^ public inter- 
est is perhaps more easily identifiable in the health context: the basic premise is 
that medical research using individual patient data can contribute to scientific 
knowledge that can be of benefit to the health of populations, individually and 
at large, now and in the future. We share a solidaristic, common concern in the 
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protection and advancement of the public interest in health promotion, and this 
necessarily requires that in some circumstances individual and competing public 
interests must yield. Epidemiological studies or pharmacovigilance to identify drug 
risks are simply not possible without access to health-related data.**' If the premise is 
accepted, the challenge is to provide a defensible mechanism to conduct such trade- 
off exercises. Fundamentally, there is the need to show that there is indeed a public 
interest objective to be realised through a proposed data linkage. Given the primacy 
of privacy (and confidentiality), this places a significant onus on those claiming 
such a justification for data linkage and sharing. As a minimum, we contend that 
every linkage proposal would have to demonstrate that it is scientifically sound and 
that there are ethically robust reasons for the linkage. The strength of such a claim 
will be increased if it can be shown, for example, that only linkage with identifiable 
data will allow the public interest to be realised.''^ But the spectre of consent is 
never far away: can public interest offer sufficient justification to proceed as an 
alternative to consent? More significantly, can public interest prevail even when 
consent is withheld? 

Public interest and consent. We have asserted above and elsewhere that consent is 
often viewed as a panacea^^ to all the risks brought up by data linkage. In the 
context of privacy protection, we have suggested that simply because an individ- 
ual's consent has been obtained, this does not guarantee that their privacy interests 
are being protected. As the dominance of consent in health-research regulation 
has been increasingly challenged in recent years, we have witnessed a morphing 
of the concept in an attempt to sustain its central role. Thus, we now have 
examples of consent being characterised as explicit,'^ informed,^^ specific, 
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broad and generic. These last two examples are responses to the fact that it is 
often impossible''^ or impracticable to provide individuals with information in all 
situations about what might happen to their information, especially when uses 
might be in the future and as yet undetermined, or when data that are to be used 
were obtained historically and for long-exhausted purposes. In the data protec- 
tion arena, the European Article 29 Working Party has appreciated that consent 
does not always provide a strong basis for justifying the processing of personal 
data, particularly where consent is stretched to fit uses for which the consent was 
not initially provided.'"^ Why then does the appeal of consent endure? 

An ambivalence about the relative roles of public interest and consent was borne out 
by our research that involved collaboration with colleagues in medical sociology who 
undertook engagement exercises on attitudes towards data sharing. These confirmed 
repeatedly the prima facie importance that people place in consent. '""^ Thus, albeit as 
a strict matter of law, public interest might prevail over consent, pragmatic and ethical 
considerations suggest that a more palatable practical approach would be to consider it a 
rebuttable presumption that consent ought to be obtained. This suggests that if the route 
is not to be taken, then strong justification and evidence for the public interest route is 
required. This re-enforces an important point about governance options: consent is not 
the only mechanism for justifying the use of patient data for research and public interest 
has a crucial role to play but their respective roles will depend on what is at stake. What 
is required, then, are mechanisms to assist researchers and data linkage decision-makers 
to reflect upon and ensure that the appropriate mechanisms are put in place for particular 
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data uses in any given set of circumstances. It is far less about proscription of consent 
over public interest or vice versa as blanket positions and far more about constructing 
an appropriate governance response for particular linkage proposals. To do so, we must 
continue to consider the full range of the tools that is available in the governance 
armamentarium . 

Anonymisation. A crude form of responsive governance has already prevailed in the per- 
functory 'consent or anonymise' approach.'**^ Certainly, anonymisation can offer many 
advantages in the health research context. As Lowrance notes: 

A way out of many problems should be de-identification, or anonymisation of data. If data 
are not identifiable the data are not 'personal' and, unless safeguards are compromised, the 
data-subjects stand only a very low risk of being banned, which should be the principal 
point and should obviate the need for express consent. Much, perhaps most, health services 
research only uses anonymised data.'"^ 

Like privacy, however, this leaves us once again in the realm of non-absolutes. Anon- 
ymisation techniques render the likelihood of re-identification of data subjects highly 
unlikely'"^ but not impossible'"^ and the 'grey area' of data linkage can be particularly 
problematic. The ICO has acknowledged that potential for re-identification via data 
linkage is 'essentially unpredictable because it can never be predicted with certainty 
what data is already available or what data may be released in the future'.'**' Further- 
more, anonymisation sets up a potential tension with public interest: whilst it takes us 
some of the way towards increased privacy protection, it can come at the cost of data 
quality; the richness or research potential value of data sets can significantly diminish 
once they have been anonymised.""'"' Equally, much valuable research can proceed 
without the need to use identifiable data."^'"^ This leads to two important conclusions. 



104. B. Rumbold et al., ^Access to Person-Level Data', p. 7. 

105. W. Lowrance, ^ Learning from Experience', SI, p. 5. 

106. Ohm, 'Broken Promises', p. 1710. 

107. See in particular Homer et al., 'Resolving Individuals Contributing Trace Amounts of DNA 
to Highly Complex Mixtures Using High-Density SNP Genotyping Micro Arrays', PLoS 
Genetics 4 (2008), pp. 1-11 and Ohm, 'Broken Promises', p. 1701. 

108. Department of Health, Caldicott Review, p. 64. 

109. ICO, Anonymisation, p. 18. 

110. '100% anonymity is almost impossible to achieve without the data set being reduced to one 
data item, rendering it of little use for most research purposes'. Confidentiality and Security 
Advisory Group for Scotland (CSAGS), Protecting Patient Confidentiality: A Consultation 
Paper, Seeking Consent (2001). Available at: http://www.csags.scot.nhs.uk/ppc/ppc.pdf 
(accessed 3 December 2012). 

111. ICO, 'Anonymisation' , p. 13. 

112. Ohm, 'Broken Promises', p. 1701 and CSAGS, Protecting Patient Confidentiality. 

113. The recent ICO Code on Anonymisation aims to clarify the conditions for acceptable levels 
of anonymisation and outlining when the process is necessary or desirable, whilst clearly 
acknowledging that such guidance is deficient both at the EU and UK level data 
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First, like consent, anonymisation can serve a useful role as a default starting point from 
which departure is possible on good cause shown. Second, even if anonymisation is 
deployed in some form, risks remain. Thus, central to any good governance model must 
be appropriate risk assessment' and the mechanisms and personnel to deploy this. This 
returns us, once again, to the option of authorisation. 

Authorisation. As described above, authorisation involves an individual or group making a 
decision about whether data should be shared (and in what form) when it is neither pos- 
sible nor practicable for the data subject to input to the process. Caldicott Guardians"^ 
are the paradigm example of individuals who take on this role, whilst CAG in England 
and Wales and PAC in Scotland perform similar functions as collective bodies. Author- 
isation represents a move away from the binary 'consent or anonymise' model, but, 
importantly, it does not preclude a role for either consent or anonymisation in govern- 
ance outcomes. That is, a conclusion from an authorisation deliberation might be that 
- in fact - consent should indeed be sought and/or that a certain form of anonymisation 
should be applied to the data. The important substantive and procedural value of author- 
isation lies in the opportunities afforded for deliberation, reflection, evaluation and risk 
assessment. Transparency and communication of such processes are also crucial in 
addressing possible issues of trust. 

PAC in Scotland, for example, has an expectation that consent will be obtained where 
identifiable patient data are used. Whilst it recognises that this is not always possible, it 
holds that 'in such circumstances, a clear explanation and justification should be 
given'.''* Amongst other things, explanations/justifications may include demonstrations 
of the scientific validity of a particular proposal, presentation of a strong case for why 
obtaining consent is not practical and evidence that privacy risks are minimised as far 
as possible and that adequate security measures are in place."'' Thus, authorisation 



protection legislation. Whilst it is too soon to say whether the Code is successful in 
clarifying to practitioners the issues around anonymisation, the extensive consultation 
and efforts that went in to the Code stand testament to how problematic anonymisation 
can be. 

1 14. S. Shaw and G. Barrett, 'Research Governance: Regulating Risk and Reducing Harm?', 
Journal of the Royal Society of Medicine 99 (1994), pp. 14-19. 

115. See Caldicott Guardians Forum. Available at: littp://www.nhsnss.org/pages/corporate/ 
caldicott_guardians.php (accessed 30 July 2013). 

116. NHS National Services for Scotland, Privacy Advisory Committee for Scotland, 'Guiding 
Principles'. Available at: http://www.nhsnss.org/pages/corporate/about_pac.php (accessed 
30 July 2013). 

117. In Scotland, in addition to PAC, the Community Health Index Advisory Group (CHI AG) 
also holds a key advisory role in relation to patient demographics and research uses. In 
each of these cases, the approach is similar: where consent or anonymisation are shown 
not to be viable options, the authorising body takes on a scrutiny role to consider the 
risks and benefits of linkage/use and to recommend an acceptable outcome. Where 
linkage is approved, then often additional terms and conditions can be imposed, for 
example, additional security measures or a reduction in access only to necessary data 
sets essential to answer the research questions. 
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provides a crucial piece of the governance puzzle by furnishing a means through which 
to determine the most appropriate mechanisms to be used and standards to be met for 
different linkage applications. This recognises that a one-size-fits-all approach is not 
appropriate. Notwithstanding, an important cross-cutting consideration for all data use 
and linkage applications is that of proportionality, that is, the robustness of justification 
of any authorisation must be relative to a sound assessment of the benefits and burdens 
involved. 

Proportionality. Besides the key obstacles identified earlier, the most notable flaw tainting 
the governance landscape is a lack of proportionality. The landscape is ridden with dispro- 
portionate hurdles; many procedural mechanisms that researchers and data custodians 
must follow prior to data sharing and linkage often fail adequately to reflect the nature and 
degree of risks associated with such practices. As the Information Commissioner has said, 
the risks have been 'both understated and overstated'."^ This incommensurability of reg- 
ulation and risk - in either direction - becomes a matter of disproportionality when the 
regulatory burden greatly outweighs the relative risks. A failure to embody a sense of pro- 
portion in data linkage mechanisms naturally perpetuates a culture of caution and further 
impedes and delays progress with research.'^' Thus, instilling and nurturing a more pro- 
portionate approach to governance that pays due regard to relative risks'^" is crucial. This 
parallels one of the key recommendations of the influential Rawlins Report'^' and the sim- 
ilar risk-based approaches being implemented by the Medicines and Healthcare Products 
Regulatory Agency with regard to clinical trials. '^^ 

Proportionality and its delivery by virtue of robust risk assessment are neither new 
concepts nor novel features of legal systems by any means. Proportionality plays an 
important role in European and human rights law, for example. Within the European 
Convention on Human Rights (ECHR) paradigm, any interference with many rights - 
notably private and family life under Article 8(1) - must be necessary and proportionate 
to meet a pressing social need under Article 8(2). Within European Law, the principle of 
proportionality is interpreted similar to a rationality test whereby the suitability, neces- 
sity and proportionality in its strict sense are considered against an alleged infringing 
measure. In both contexts, proportionality serves to regulate the spaces in between 
hard laws. It operates when discretion must be exercised and when varying interpreta- 
tions or legal measures might be justifiable but depend on extensive variables that cannot 
be legislated for on a case-by-case basis. Rather, an appeal to proportionality deter- 
minedly requires that analytical judgement be performed; requiring appropriate 
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consideration of material variables against a background of core objectives to be 
achieved. Thus, when matters of private and family life are engaged, the nature, extent 
and consequences of interference are judged relative to the nature, strength and impor- 
tance of the social need. Proportionality acts as the weighing measure. Similarly, when 
judgements must be made about the propriety of data linkage, we contend that the nature, 
degree and likelihood of privacy (and other) impacts must be weighed relative to the 
strength of the reasons for seeking linkage at all, notably in the public interest - as 
robustly laid out in any given application for data linkage. 

We discuss the specifics of these variables presently. Proportionality, however, has a cen- 
tral role to play in acting as a temper in two key ways in the information governance context 
and is an integral feature of our governance model. First, it complements the balance that 
must be sought between privacy protection in the public interest and the pubhc interest in 
scientific enquiry and discovery by requiring a deeper account of what is actually at stake, 
most particularly by asking about the relative strengths of the interests and likely threats 
thereto. Second, it suggests that multiple and differential governance responses are the most 
fitting regulatory responses because different combinations of variables - strengths of pri- 
vacy interests/risks versus strengths of public interests and benefits - will require different 
degrees of protection, sharing, oversight and, ultimately, sanction. In turn, this will require 
differing deployment of governance mechanisms, sometimes favouring consent when, say, 
sensitive data or contentious research questions are in play; sometimes favouring anonymi- 
sation when the research objective can be realised without recourse to identifiable data. 
Authorisation allows an important reflective and corrective input, promoting well- 
informed and risk-based assessment of the entire range of considerations, as well as mechan- 
isms to give an account of deliberations and to communicate reasons and justifications. 
A rather trite appeal to balance is nonetheless enhanced by an appreciation through this 
account of the relative role and importance that each governance device brings and how they 
can be deployed alone or in combination. Finally, a commitment to balance ensures that no 
one principle or concern reigns supreme, albeit that evidence suggests that: '[i]t is undeni- 
able that consent remains the primary policy device in legitimating medical research'.'^"* 

Going fishing: a template for proportionate governance 

Having identified the key hurdles to overcome and the overarching ethical and legal prin- 
ciples demanding continuous consideration, we offer here a template of key elements of 
governance that serves as a blueprint for what optimal governance might look like in the 
context of data linkage for research. This template provided us with a lens through which 
to focus comparisons between the current approach and any under consideration. This 
template was also an output of iterative design: not only does it capture emerging ques- 
tions and concerns from the literature, but additionally it reflects expectations arising 
from engagement with stakeholders in the field. 



124 . Mason and Laurie, 'Zaw and Medical Ethics' , chapter 19. 

125. Key stakeholders within Scotland (and predominantly the SHIP community) included: 
researchers, data controllers, data custodians and data processors, and advisory bodies 
responsible for advising on data access applications for research. 
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The template offers three key functions: 

1. It provides a flexible yet bespoke means of identifying key elements that reflect 
the concerns of stakeholders and key issues highlighted within the literature; 

2. It provides a means for identifying the strengths and weaknesses of any current 
regulatory framework and 

3 . It facilitates comparisons between a current and proposed model of governance in 
order to check whether, and if so how, any proposed model will improve upon the 
status quo. Moreover, it provides a basis against which the fitness of a future 
model can also be tested. 

Table 1 offers an overview of our template for achieving optimal governance. 

The considerations included in the template are by no means exhaustive; indeed, 
questions should be tailored as appropriate to the specific governance setting under con- 
sideration. For example, when considering cross-sectoral data linkage, one additional 



Table I . Template for optimal governance. 



Question 


Key consideration(s) involved 


Who are the key stakeholders 
and are they satisfied? (Are the 
right people engaged at an early 
enough stage in the governance 
process?) 


Identifying and engaging with the various stakeholders 
within a regulatory framework means that buy-in and 
cooperation is much more likely, despite apparently 
conflicting interests. 


In what ways does any model 
under consideration reflect a 
proportionate approach to 
governance? 


Proportionality should be a key feature of any governance 
system, legally, ethically and practically. It avoids excessive and 
overly cumbersome procedures whilst paying due regard to 
real risks and seeking appropriate measures where 
fundamental obligations must be met. 


Do all parties involved 
understand the implications of a 
particular model? 


A major criticism of the current landscape is its complexity 
and the confusion that it generates amongst researchers and 
data controllers. Ensuring that all actors fully understand their 
obligations and are confident in exercising them is paramount 
to an effective governance system. 


What vetting and training 
methods will be implemented by 
any model? 


It is important to ensure that appropriate methods for 
ensuring that only adequately qualified individuals gain 
access to, and/or have responsibility for, data. This implies 
a need for effective training and accreditation in any 
governance regime. 


Is there accountability within the 
model and who is accountable at 

each stage? 


This requires articulation of key roles and responsibilities 
within the framework and proportionate sanctions to be 
in place for non-fulfilment. 


How is the model monitored/ 
regulated? 


This implies overview of key legislative provisions, 
guidelines and oversight practices. 


(continued) 
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Table 1. (continued) 


Question 


Key consideration(s) involved 


How does the model fare when 
subject to a Privacy Impact 
Assessment (PIA)? 


It is recommended by the Information Commissioner's 
Office that organisations carry out PIAs to identify privacy 
risks to individuals' personal information in order to identify 
failures/strengths of a governance system in handling risks 
appropriately. It can encourage proportionate rather than 
conservative approaches towards risk. 


How does the model reflect 
public expectations and impact 
on public confidence? 


Engaging with the public, particularly in an initiative that 
involves sensitive personal information is key. Taking 
account of public expectations in a governance model can 
engender public confidence, even when this does not mean 
that all views become part of the model. 


How does the current and 
proposed model sit within the 
legal order? 


Compatibility of governance model with legal 
requirements and, even further, whether or not the model 
impedes/facilitates/makes optimal use of the legal 
provisions. 



question might be: 'how does the model accommodate or impede data sharing with other 
sectors?' A further consideration could involve data sharing on an international level, for 
example, 'how does the model deal with international data linkage, including ensuring 
adequate ethical and legal standards are identified and met?' Moreover, the template 
is determinedly generic in that it can be applied within and across a range of data sharing 
sectors. The purpose of developing such an instrument is to outline the pertinent issues 
that must be addressed in governance design and that will remain uncovered by a simple 
literature review. Applying our template proved particularly fruitful in (a) identifying the 
differences between theory and practice, that is, what is assumed to take place in light of 
regulatory requirements and what are the practical realities of realising these demands 
and (b) teasing out the nuances within different settings/organisations and how they 
approach the implementation of the governance demands. 

Encouraging a range of stakeholders to apply the template to their work setting offers 
a holistic multidimensional picture of current practice and related difficulties. Addition- 
ally, it unveils the specific needs of the very actors required to navigate the framework on 
a daily basis, rendering a proposed framework more likely to succeed in delivering good 
governance. Asking such questions is effective for assessing current regimes and com- 
paring them against future proposals. As such, our template is akin to performing a Gov- 
ernance Impact Assessment. It is a process that helps to identify risks, options and 
opportunities that include, but go far beyond, concerns about privacy and anything that 
could be revealed by a privacy impact assessment alone. 



126. ICO, Privacy Impact Assessment. Available at: http://www.ico.gov.ult/for_organisations/ 
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Developing and applying our template to the cuiTent regulatory landscape enabled us 
to identify key weaknesses within the framework' and to clarify issues that needed to 
be addressed by any model to be developed in the future. Here, we outline the key themes 
that emerged and subsequently informed the construction of our proportionate govern- 
ance model. 

The catch: key findings 

First, our preliminary scoping of the literature asserted a discontent with the landscape, 
well demonstrated above. Engaging with key stakeholders about their experiences in 
practice confirmed this and served to highlight the most problematic areas encountered 
in practice, for example, the extent of the hurdles that researchers encountered when 
gaining approval for data access and the real and urgent need for clear and effective 
training. We worked closely with the public engagement team who carried out inves- 
tigations into the attitudes of key actors including researchers and data controllers.'^^ 
A key message to emerge of import in constructing our model was the importance of 
having clear, accessible articulations of the legal obligations for different actors at dif- 
ferent stages of data use; despite the inclusion of procedures for ensuring staff received 
training around their data handling responsibilities, confusion remained about specific 
obligations and how these could be fulfilled. This uncertainty is doubtlessly reflected 
in the wider community and perhaps confirmed by the fact that data breaches persist in 
that community. There is a tendency for breaches to attract extensive press coverage; 
shaking public and professional confidence'^' across a range of sectors, particularly, 
where breaches occur within a trusted institution'^** such as the NHS.'^' Indeed, whilst 

1 0 111 

recommendations have been made for Scotland and UK-wide public education 
campaigns to raise awareness amongst the public about how their data are used 



127. SHIP is a partnership between Information Services Division (ISD) of NHS Scotland and 
academic universities. We thus applied our template against the backdrop of the wider 
legislative framework within the UK and more specifically, procedures as they stood 
within ISD, custodian to the majority of NHS Scotland health information. 

128. SHIP Public Engagement, 'What makes research/researchers trustworthy?'. 
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133. See V. Armstrong et al., 'Public Attitudes to Research Governance: A Qualitative Study in a 
Deliberative Context', Wellcome Trust Report (London, UK: The Wellcome Trust, 2007). 
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(including data about individuals who are relatively well),'^^ levels of understanding 
about data linkage and use are relatively low.^^^ 

Public engagement work within SHIP also uncovered the importance of trust in the 
safe and appropriate use of data.'^^ Thus, in our construction of a governance template, 
developing a model that reflected stakeholder and public concerns and attitudes was 
paramount. In particular, we appreciated that at the time of developing our model, a 
future move would be to develop initiatives that would facilitate cross-sectoral data 
linkage, that is, linking data across different sectors, for example, police, welfare, edu- 
cation and so on. Thus, any governance model must in many senses be both blind to 
sector-specific concerns and at the same time sensitive to them. This governance par- 
adox was addressed by identifying the common concerns and pressure points for 
decision-makers across various sectors and designing governance tools of generic 
applications. Most notably, as discussed below, this led to the development of a set 
of transferable principles and instances of best practice that are both relevant and adap- 
table across any number of fields. The overarching commonality is the articulation and 
setting of gold standard benchmarks for data linkage and sharing that at the same time 
guide decision-makers. This can operate to gain buy-in from data custodians in differ- 
ent sectors to be willing to share data outwith their own organisations/sectors and at the 
same time achieve a degree of approximation of considerations, standards and 
approaches irrespective of the sectors within or across which linkage or sharing takes 
place. 

Risk also emerged as a key consideration. It transpired that despite ICO guidance 
suggesting organisations should carry out Privacy Impact Assessments, not all organi- 
sations took this on board; a lack of joined-up governance across different organisa- 
tions and sectors was evident, suggesting a suboptimal detection of privacy risks 
involved in data linkage. Of note, key issues that gave rise to the most confusion were 
the vague nature of the DPA 1998 and the varying interpretations that had been adopted 
of the European Data Protection Directive by virtue of the margin of appreciation it 
grants to member states. Specifically, doubts endured over issues such as when/ 
whether consent is necessary, and what type of consent is appropriate (implied, 
informed, broad etc). The interoperability of statute and common law further added 
to the confusion, notably whether the duty of confidence requires an individual's con- 
sent even when the DPA does not.'"'^ Further still, the potentially tense relationship 



134. Department of Health, Information Governance Review, at p. 62. 

135. P. Singleton et al., General Medical Council Public and Professional Attitudes to Privacy of 
Healthcare Data: A Survey of the Literature (Cambridge Health Informatics Limited, 2007). 
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34090707.pdf (accessed 10 May 2013). 
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137. This issue gave rise to legislative change in England and Wales by virtue of section 251 
NHS Act 2006 and the specific provision to allow the setting aside of the need for 
consent in specific defined circumstances under the authority of the Secretary of State 
(previously upon the advice of the Ethics and Confidentiality Committee, now the 
Confidentiality Advisory Group. Such legislative change has never occurred in Scotland. 
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between the Freedom of Information (Scotland) Act 2002 and the DPA 1998 remains at 
times challenging to negotiate given that the former serves to make (official) informa- 
tion more freely available and the latter to limit access to (personal) information. Addi- 
tionally, we must consider the difficulties around anonymisation mentioned earlier. 
Clear guidance on anonymisation, acceptable procedures for carrying out the process 
and the circumstances in which it was (un)necessary was lacking from both the UK 
DPA and at a European level. A key lesson learned is that despite the associated 
issues, both consent and anonymisation are important and must be central features 
in a good governance model. This is both with respect to minimising risks and because 
publics expect them to have a central role. 

The juxtaposition of these findings with the outcome of our literature reviews led to 
the conclusion that consent and anonymisation should remain the starting point to con- 
sider within a proportionate governance approach. By the same token, we could assure 
decision-makers that they can depart from these mechanisms and use other routes on 
good cause shown, including where it would be disproportionate to attempt to deploy 
consent or anonymisation. This approach should serve to reassure publics as being one 
that it suitably couched in caution with respect to their autonomy and privacy interests 
but which also seeks to promote the important public interests in play and to strike a 
defensible balance of interests overall. 

Another key lesson learned was the real need for coherent researcher and data cus- 
todian training. In addition to the understandable lack of comprehension of the com- 
plex legal and ethical landscape, vetting procedures are not robustly or uniformly 
applied across the health sector. Indeed, we learned that many data sharing relation- 
ships were based on trust and previous experience of sharing; a clear need for training 
and vetting was identified. Transparent and intelligible procedures not only to estab- 
lish who is accountable but for what, and when, are essential. This was not so much a 
question of accountability and sanction at the level of the regulator - the ICO has now 
been granted increased powers to impose monetary penalties of up to £500,000 on 
those in breach of obligations'^^ - but rather this related to inter-institutional or per- 
sonal accountability in data sharing arrangements at different stages of a data life 
cycle. 



Instead the de facto approach of the Privacy Advisory Committee is similar to that of CAG, 
despite the lack of statutory powers, PAC advice carried considerable weight when advising 
ISD. ISDs of NHS Scotland are custodian of a vast range of NHS health data, and NRS is 
the National Register for Scotland. 

138. Although we have mentioned that the ICO had now released its code of practice, it is hoped 
that this will provide much needed clarity, alongside the work of the UK Anonymisation 
Network. See: http://www.ukanon.net (accessed 11 May 2013). 

139. As per powers enshrined under section 55 of the Data Protection Act 1998, the ICO can 
serve monetary penalties of up to £500,000 for breach of the Data Protection Act 1998 
and serious breaches of the Privacy and Electronic Communications Regulations. At the 
time of writing, the ICO has served some 26 monetary penalties since January 2012, 
though note some of these have also been for breaches to Electronic Communications 
Regulations. See: http://ico.org.uk/enforcement/fines (accessed 9 May 2013). 
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In sum, the application of our template allowed four key themes to emerge: (1) 
the need for clarification around which standards and values should be observed and 
how this can be achieved; (2) the need for a proportionate, risk-based approach to 
governance and how this might be operationalised; (3) the need for clarification 
around the roles and responsibilities arising from data sharing and clear lines of 
accountability and (4) the general need for training and accreditation around data- 
handling issues. 



Delivering principled proportionate governance 

Our model comprises the following key elements that correspond directly with the key 
needs we identified in our research. Here, we elucidate how these needs can be met 
through: (1) guiding principles and best practice; (2) safe, effective and proportionate 
governance mechanisms; (3) a clear articulation of the roles and responsibilities of data 
controllers and (4) researcher training. We focus on the guiding principles and safe, 
effective and proportionate governance elements because they enable us best to convey 
the key message of this article - the importance of delivering principled proportionate 
governance. 

Guiding principles and best practice 

From the outset, good governance demands an accessible articulation of the different 
values and standards against which individual and organisational activity will be 
assessed.''*" Principles, by their very nature, offer the ideal medium for relaying these 
standards'"*' due to their flexibility; they can be adapted and implemented in a manner 
which best suits the level of decision-making taking place. Principle-based regulation 
(PBR) has enjoyed much attention lately, most notably within the financial sector. Its 
benefits can be translated to the data linkage context very well. '^^ Appropriately consti- 
tuted principles are specific enough to convey the intention behind them, yet broad 
enough to leave room for interpretation as each case demands '"'^ and as has been noted, 
'we need ethical principles to "permeate" down to all levels' of decision-making.'^^ In 
recognition of these strengths of principles, we have developed a set of guiding 
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principles and instances of best practice (GPBP). These principles were the result of an 
iterative process and developed by a Working Group comprising of a diverse range of 
actors involved in data sharing and research. 

A key criticism of principles is that they are often vague in nature, failing to provide 
adequate or specific content on how different values ' ... should be factored into 
decision-making processes, such as whether data should be made available for sharing, 
whether institutional amngements are sufficiently robust to accommodate data sharing 
and whether appropriate governance mechanisms are in place for such sharing'. ^"^^ Thus, 
alongside the guiding principles, a set of instances of best practice were developed, offer- 
ing more concrete examples of implementation of the principles. 

Our approach stresses the importance of viewing principles not as quasi-rules, but 
as starting points for deliberation'"*'' to exercise action and judgement within the exist- 
ing legal regime. It openly acknowledges that principles might conflict and that dis- 
cretion must be exercised in order to determine which set of principles should hold 
sway in the particular circumstance. The value of this approach is that it invites and 
requires reflection and justification. The principles that were identified were devel- 
oped through engaging stakeholders on the issues and distilling these down to key 
principles that provided a common language for deliberation on whether and how 
sharing and linkage should occur. Self-evidently, the two principal principles at stake 
are: (1) promotion of the public interest and (2) protection of the privacy and other 
interests of citizens. A PBR approach would suggest that decision-makers strive to align 
as many principles as possible, for example, by promoting anonymised data to deliver 
robust research in the public interest. Where, however, this cannot happen, then other prin- 
ciples might come into play. In the example above, where anonymisation cannot happen 
or would unduly compromise the study, then it is a rebuttable presumption that patient 
consent should be sought.'^** Where consent is neither possible nor practical, the princi- 
ples call for authorisation from an appropriate body /research ethics committee. 

Developing a set of agreed principles is not necessarily a clear-cut or smooth process. 
It implicates all stakeholders within the regulatory landscape and as mentioned, must 
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achieve a balance between versatility and specificity, whilst simultaneously remaining 
true to its goal of nurturing respect for the various considerations evoked by a particular 
framework. However, whilst the articulation and establishment of a set of principles is, in 
our view, an integral foundation for a good governance framework, principles are by no 
means intended to replace the role or content of legislation. Rather, they stress the values 
and norms to be considered in addition to the legislative demands upon different actors. 
Whilst the law provides flexibilities and space in between rules to exercise discretion, the 
principles provide a common framework'^** for discussing and deciding what should be 
done,'^* formed around the key considerations at stake. By the same token, guiding prin- 
ciples within a framework should not be regarded as optional or unimportant: they are 
the manifestation of key ethical norms and must be given due regard. This is so whether 
or not they engage legal sanctions for non-observation. Thus, achieving buy-in and 
endorsement from key actors is integral to the successful adoption of and respect for 
principles. Their generic nature can be a strength. 

The Scottish Government adopted an iteration of our Guiding Principles and Best Prac- 
tice for its Scotland- wide Data Linkage Framework for Statistical and Research Purposes. ' 
Such an endorsement and the proliferation that it guarantees across the Scottish research 
community demonstrate the importance placed on having an accessible and flexible expres- 
sion of central values and standards for decision-making in the research context. The UK 
ICO has taken a similar approach to offering best practice guidance in its new code of prac- 
tice for anonymisation.'^^ Similarly, to our GPBP, the ICO has made the purpose of the gui- 
dance explicit, in stressing that it is not designed to replace legislation (in this instance, the 
UK DPA), but rather to 'plug that gap ' ' between the minimal legal requirements set out by 
the legislation and the practical measures to take to facilitate compliance. 

Safe, effective and proportionate governance 

Proportionality is a concept, which ensures that any measures taken (whether in terms of 
sanctions for breaches/non-observation of key standards, or anticipatory measures in 
place to assess risks within an organisation or across a regulatory landscape) correspond 
to the gravity of any breaches, actual or anticipated.'^^ But, it is not first and foremost 
about sanction. It is about matching the right governance pathway with the right risk 
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assessment - long before there is a need to consider sanctions. This raises once again the 
central role that risk assessment plays in facilitating proportionate governance and the 
importance of a holistic approach to risk and which encompasses a range of risks that 
might include risk to privacy and reputation, or of distress to individuals through 
re-identification. SHIP has adopted such a holistic approach. 

Our risk-based approach demands that certain benchmarks must be met before a 
holistic risk assessment is made. These benchmarks include seeking assurance on the fol- 
lowing: safe data, safe people and safe environment. 'Safe data' involves data 'ade- 
quately protected in a manner corresponding with its sensitivities, but this should not 
be to the extent that it renders data inaccessible or extremely difficult to access for 
important research purposes.''^* A host of considerations are engaged when assessing 
whether data are safe, including: whether consent is needed; whether a data reuse has 
been justified (particular where anonymisation is not practicable or desirable); the level 
of anonymisation, how disclosive the linked data may be, that is, how likely is it that 
individuals might be identified if the data are put in the public domain. 

'Safe people' corresponds to the need for effective training of individuals and a clear 
articulation of the roles and responsibilities of different individuals throughout the 
course of the data life cycle. SHIP operates a researcher accreditation system. A 'safe 
environment' involves incorporation of sufficient security measures in order to ensure 
that data are safeguarded. For example, one must consider who has access to the data and 
in what circumstances the data may travel, if at all. 

The paradigm example of this tripartite benchmark approach coming together is in 
one of the SHIP safe havens. This approach has been recommended by the Data Sharing 
Review, the AMS Report and most recently, the Caldicott Review. Much access is facili- 
tated through these havens, which embody the three elements of safe data, people and 
environment and typify a form of principled, proportionate governance. This approach 
does not, however, work for all research, and so a more extended model also operates. 
Moreover, if any application fails on any of these three benchmark criteria, a full con- 
sideration by an authorising body is required. 

In addition and directly related to the key benchmarks, we constructed a system that 
categorises different types of data access applications according to different categories 
of risk. In turn, these stratified risk categories correspond directly to increasingly strin- 
gent terms and conditions that must be met in order to achieve authorisation for a link- 
age to go ahead. The SHIP online toolkit (discussed below) helps researchers to anticipate 
the category in which their access application is likely to fit; this means, in turn, that the 
researchers can include the relevant details of relative risks associated with their study in 
anticipation of the terms and conditions to which an approval might be subject. 

Categorisation is a manifestation of proportionality. For example, in situations where 
the privacy risks are minimal or negligible, and the likelihood of subsequent disclosure 
very small, no further review will be needed. Where risks are marginally greater, a fast- 
track process can be deployed that does not oblige a researcher to travel all the way to a 
safe haven to carry out the linkage. The highest risk applications must always be 
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Figure I . Categorisation of applications. 



scrutinised by a suitably appointed authorising body. A Research Coordinator is respon- 
sible for advising from an early stage under which category an application should be 
made and a system of precedents will be built up over time. This further streamlines the 
processes and reduces undue burden in preparation of applications. Importantly, and 
reflecting the legal position, the data controller always retains the right to disagree with 
a categorisation and/or to refuse linkage or sharing in the final analysis. 

In sum, SHIP has taken a four-levelled approach to categorisation, inspired by the 
Understanding Society Project Data Access Strategy.'^^ This promotes further interoper- 
ability across sectors. The process is represented in Figure 1 . 

Category 0. This relates to data already in the public domain. Applicants are encouraged 
to make full use of such data, and these data are brought to their attention if research 
questions can be answered without the need to link personal or non-public data. This 
categorisation exercise might involve a prospective disclosure control exercise. 

Category I — low impact. These applications are those where risks are thought to be min- 
imal or negligible, and in particular, where outputs are non-disclosive and non-sensitive. 
Examples include those where no concerns are raised at stages one or two; the applica- 
tion is for a linkage which is non-disclosive and non-sensitive, a safe haven system'^^ 
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158. For technical details on how SHIP operates, particularly the role of safe havens, consult the 
SHIP Blueprint. Available at: http://www.sco_ship.ac.uk/publications (accessed 10 May 
2013). 



Sethi and Laurie 



201 



will be used, and/or applications are for a non-contentious extension of a previously 
approved linkage. 

Category 2 - medium impact. Category 2 applications are those where issues might be 
flagged for possible further consideration. These could be sent to the relevant advisory 
committee (in the case of SHIP, this would be PAC for Scotland) in an expedited form. 
Examples include applications with moderate risks or concerns arising from the privacy 
impact assessment at stage two; with repeat requests from multiple sector/international/ 
researchers who are able to demonstrate a trusted track record with respect to SHIP and 
where the application is for a non-sensitive and non-disclosive linkage but safe haven 
system will not be used. 

Category 3 - high impact. These applications would be subjected to full PAC approval 
mechanisms. Examples include applications that fail to satisfy any one of the criteria for 
assessment at stage one (e.g. questions over the public interest in the research, safe data, 
safe people or safe environments, or wider risks such as reputation of the data controller); 
raise concerns arising from the privacy impact assessment at stage two (e.g. very sensi- 
tive data; serious risks of disclosiveness) and/or are multiple sector or international lin- 
kages being requested for the first time. 

In all cases, appropriate terms and conditions for sharing and linkage reflect the nature 
of the governance pathway followed by any given application and can be associated with 
different categories of applications. For example, category 3 might attract additional 
conditions about security or guarantees of no further linkages. Category 1 should be 
treated as standard linkages subject to everyday duties of confidentiality and institutional 
standards. 

The categorisation approach is designed not only to offer a more proportionate 
approach to risk allocation but to harmonise and speed-up the review process, render- 
ing the applications and approvals process more efficient for researchers and data cus- 
todians alike. It is sufficiently generic to be of interest and value across a range of 
data linkage scenarios, both within the health sector and beyond, and also inside and 
outside Scotland. The remaining two elements of the SHIP model are an online training 
and accreditation module and guidance on roles and responsibilities of data controllers. 
Thus, in sum. Figure 2 summarises the approach that was employed in developing the 
PPGM. 



Limitations and challenges for the model 

As with all models, the SHIP approach has its limitations. It is important to note two 
points here. First, SHIP does not attempt to address the prevailing culture of caution 
by providing more certainty, at least in the first instance. If anything, it embraces the 
reality that delicate and, at times, difficult judgement calls about data linkage must be 
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made. It might not, therefore, reassure some actors who seek more immediate clarity and 
security. We suggest, however, that such a search for security is illusory. What is needed, 
in particular, is a shift from defensive consent-reliant attitudes towards more confident 
data sharing and access, adopting a range of alternative mechanisms such as authorisa- 
tion. It is hoped that the key elements of our approach, especially the training programme 
and the guiding principles, can serve to reassure researchers and data custodians when 
navigating the governance landscape. 

Second, in order to operate effectively and timeously, there is a need for adequate 
resource and training for decision-makers themselves, including data controllers. It will 
only be through uptake and use of the system that streamlining benefits will be realised. 
In particular, the role of the Research Coordinator is crucial. This will often require addi- 
tional resource, or redeployment, within organisations. If this resource is not put in place, 
delays will occur and time frames will not be respected. The aspiration of proportionality 
can only partly be delivered through iterative design. Its execution also requires commit- 
ted personnel. 

Conclusion 

The SHIP principled proportionate governance model has identified and seeks to address 
the pressing needs of research uses of health data, for which the current regulatory frame- 
work is both untenable and undesirable. The model challenges the traditional obstacles 
within the landscape, encouraging a shift away from the culture of caution and a willing- 
ness to take advantage of the flexibilities within the current landscape. It offers a data 
linkage regime that reflects iterative, intelligent design, taking into account both research 
and public expectations. Key elements of the model include (1) guiding principles and 
best practice, (2) safe, effective and proportionate governance, (3) an articulation of the 
roles and responsibilities of data controllers and data processors and (4) the development 
of a researcher training programme, including appropriate vetting procedures prior to 
sharing valuable data. 

The research and collaborations under the SHIP project serve as a case in point that 
a flexible, accessible solution can be developed and adopted, not only in the health 
research setting but across sectors and across jurisdictions. The model builds upon 
existing approaches to information governance and goes far beyond them, whilst 
retaining due regard for the ethical and legal norms at stake. It offers a practical solu- 
tion to moving forward in realising the potential benefits of data uses for health 
research and which can be implemented currently, rather than awaiting (yet further) 
legislative reforms. It recognises the important place of consent by making it a rebut- 
table presumption of research governance, whilst offering a clearer role for comple- 
mentary governance mechanism, such as authorisation. These promote risk-based 
approaches and principle-based reflection, judgement and communication of 
decision-making. It is a model that is anticipatory in design, adaptable to future (immi- 
nent) developments in data linkage, most notably for cross-sectoral and international 
settings. Proportionality plays a central role in enabling decision-makers to undertake 
appropriate evaluation of risks and benefits. It helps to ensure that researchers and data 
custodians are not practising conservative data sharing out of fear of sanctions. At the 
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same time, it acknowledges that sanctions that are imposed should be relative to the 
risks involved. The model determinedly complements any existing or future legal 
framework by seeking to fill the spaces within it. Principles and instances of best prac- 
tice offer a means of universalisable deployment of relevant norms and values, promot- 
ing high standards of research across the data sharing life cycle, across diverse settings, 
with concrete examples of how these principles can be implemented. Most notably, this 
principled proportionate approach offers a concrete means of balancing both the public 
interests in health research and protection of patient privacy. 
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